As the media often reports, the world of cybersecurity can be seen like the ‘Wild West’. There’s now a wide range of Internet of Things (IoT) devices connected to the web, making this a hot topic. Among these devices are security cameras. IoT devices are computers that use software that makes them vulnerable. As the famous cybersecurity evangelist Mikko Hypponen says, "If a device is smart, it's vulnerable!"

Hypponen is right. On a daily basis, new vulnerabilities are found in software, regardless of the manufacturer. In 2019, more than 12,000 vulnerabilities worldwide were made public and reported as a CVE (Common Vulnerability and Exposure) in the National Vulnerability Database (NVD). Unfortunately, vulnerabilities are a given. What really matters is how a company deals with and resolves vulnerabilities.

Cybersecurity vulnerabilities

Awareness of cybersecurity vulnerabilities is vitally important

Awareness of cybersecurity vulnerabilities is vitally important to protect you, your business and the Internet, but it’s also important to understand that a vulnerability is not synonymous with “backdoor”, and is not necessarily indicative of “cheap quality.”

But there are companies out there that are embedding safeguards into their development processes to reduce the risks. You could see them as ‘Sheriffs’, taking steps to make this Wild West a little safer.  

Why Hikvision chooses ‘Secure-by-Design’

Security cameras, like all other IoT devices, are vulnerable to cyberattacks. Fortunately, manufacturers of IoT devices can significantly reduce these vulnerabilities during the production of devices, using a process called ‘Secure-by-Design’. Implementation of Secure-by-Design requires a commitment on the part of the manufacturer’s management team and a serious investment in resources and technology, which can result in a longer production process and a higher cost of the IoT device. Cost is often the reason why some IoT device manufacturers do not use Secure-by-Design (and are indeed cheaper). 

Hikvision is a producer of IoT devices that takes security and privacy very seriously and has implemented Secure-by-Design in its production process. Management supports this process and has even set up a dedicated internal cybersecurity structure charged with product cybersecurity. This group is also the central point of contact for all other cybersecurity matters. The Hikvision Security Development Life Cycle (HSDLC) is an essential part of Hikvision's cybersecurity program. Cybersecurity checks take place at every stage of product development — from concept to delivery.

Cybersecurity checks take place at every stage of product development

For example, product testing takes place during the verification phase, the company also regularly invites well-known security companies and public testing platforms to conduct penetrating testing. Does this mean that all Hikvision products are immune to hacking? No, that guarantee cannot be given, but the HSDLC is a testament to a manufacturer that makes every effort to produce products that are as cyber secure as possible. 

Source code transparcency centre

In addition to the Secure-by-Design process, Hikvision opened a Source Code Transparency Center (SCTC) lab in California in 2018, being the industry’s first-of-its-kind lab to open such a centre. At this centre, U.S., Canadian government and law enforcement agencies can view and evaluate the source code of Hikvision IoT devices (IP cameras and network video recorders). It’s important to emphasise that no product is 100 percent secure. Hikvision has a Vulnerability Management Program in place when a vulnerability is discovered in a product.

To date, vulnerabilities that have been reported to Hikvision and/or made publicly known, have been patched in the latest Hikvision firmware, and are readily available on the Hikvision website. In addition, Hikvision is a CVE CNA, and has committed to continuing to work with third-party white-hat hackers and security researchers, to find, patch and publicly release updates to products in a timely manner. These vulnerabilities are collected in the National Vulnerability Database (NVD) and are public. Hikvision recommends that customers who are interested in purchasing security cameras inquire about a manufacturer’s cybersecurity practices and if they have an established Vulnerability Management Program.   

Cybersecurity questions to consider 

The cybersecurity of IoT devices is a topic that needs to be addressed in a serious way and it should play an essential role in the product development process, beginning at the concept phase of an IoT product. This requires time, investment and knowledge.  Consider the following questions:

  • Do I trust the manufacturer of a low-cost security camera?
  • Does this manufacturer have a dedicated cybersecurity organisation?
  • How does this manufacturer handle vulnerabilities?  

These are the questions that everyone should ask themselves when making a purchase, be it a camera or any other IoT product.  There is no absolute 100% guarantee of security, but Hikvision has industry-leading practices to ensure the cybersecurity for its cameras. Cooperation, with its customers, installers, distributers and partners, and full transparency are key elements to successfully secure IoT devices. When you read cybersecurity news, we invite you to look beyond the headlines, and really get to know the companies that produce the IoT devices. Before you buy a security camera or any IoT device, check out the manufacturer’s cybersecurity practices, look for a company with a robust vulnerability management program, a company that aligns itself with Secure-by-Design and Privacy-by-Design and a company that employs cybersecurity professionals who are ready and eager to answer your questions. Remember, there are Sheriffs out there, as well as bandits.

Share with LinkedIn Share with Twitter Share with Facebook Share with Facebook
Download PDF version Download PDF version

Author profile

Fred Streefland Director Cybersecurity (CSO/DPO), Hikvision

 

 

In case you missed it

The importance of a secure perimeter in safeguarding our schools
The importance of a secure perimeter in safeguarding our schools

Schools play a key role in shaping our future. Following the reopening of classrooms up and down the country, young minds are returning to some normality. Once again they're being inspired, learning useful skills, and forging new interests to ensure our country's continued prosperity. Schools need a comprehensive security infrastructure to protect the children who attend them. Most notably, secure perimeters that keep unwanted people out, but also ensure visitors, parents, and students alike can access their shared community space without feeling segregated or unwelcome. Robust boundary fencing  However, although safety is often the primary concern of parents, with tighter budgetary constraints and funds prioritised to make schools COVID safe, it can be all too easy to let important perimeter replacement or improvement programmes slip. The purpose of boundary fencing is to restrict unauthorised entry and exit The purpose of boundary fencing is to restrict unauthorised entry and exit from school grounds, and should be specifically designed to be fit for purpose. Opting for fencing with a welded pale-through-rail construction and concealed anti-tamper connectors between  fence panels and posts delivers a robust boundary that's virtually impossible to break through. This style of fencing also gives a better finish with no visible joints or unsightly bolts. Attractive and practical solutions Unlike generic riveted palisade fencing, this solution is both attractive and practical, more so now that LPS 1175 SR1 certified and Secured by Design versions are available. The style of fencing should meet a school's desired security and safety requirements, simultaneously, it should not compromise on aesthetic considerations. As part of the public face of the school, it should be attractive as well as functional, helping overcome any concerns of creating a prison-like environment and promote a sense of well-being. It's recommended that perimeter fencing should be: a minimum of two metres high, vandal-resistant and sturdy, grounded on a hard surface, challenging to scale, and have an anti-climb topping, much the same as a high-security option. Access all areas Each educational site must consider the number of necessary entrances A perimeter fence requires secure access points and gates. Each educational site must consider the number of necessary entrances. These should be kept to a minimum, to make it easier to maintain control of visitor movement. However, in larger schools this is not always possible and additional entrances may be required to prevent potentially dangerous congestion at the start and end of the school day. Furthermore, separate gates must be installed for vehicles and pedestrians to ensure they are kept at a safe distance, and avoid unnecessary openings of large, double leaf gates. All access points should be locked during the day to keep students on-site and prevent intruders from gaining access to school grounds. Gates should ideally be matched in  design, height and construction to the fencing,  to prevent creating vulnerable areas and compromising security. Automatic vs manual While automatic gates offer more control, manual gates shouldn't be overlooked. Not only are they easier to install and usually cheaper than automated gates, but they also don't rely on power, so if your site's supply is cut off, they provide a hassle-free exit. Furthermore, gates that are only used at the start and end of the day can be easily locked manually by staff. However, automated gates do offer welcome flexibility, as they include access control devices such as remote controls, keypads and card readers, which will also increase the school's security. They're also robust and heavy, meaning it's incredibly difficult to force them open. Electric gates offer additional versatility with a choice of either full automation, or a hybrid of manned and automatic security, with staff able to allow visitors access via intercom or video system. Securing outdoor facilities It’s also essential to consider outdoor areas when it comes to specifying security options for educational environments. Specialist security fencing should be specified where recreational areas double up as the school’s boundary fencing. The security of the site's sports facilities will also need to be considered. Commonly known as MUGAs (Multi-Use Games Areas), enclosures can be designed with specialist mesh systems to allow multiple sports to be played in the same location while providing safety to participants, spectators and buildings. When it comes to play areas in nurseries and junior schools, installing RoSPA approved and BS EN 1176 compliant fencing and gates is recommended. These are available in both timber and steel options and tested for their ability to provide a safe fencing and gate solution - designed to reduce the risk of limb entrapment. Acoustic fencing is also worth considering for these environments, particularly in urban areas or where housing is close to school play areas. It can help reduce incoming ambient noise from neighbouring busy roads, railway lines, or construction sites, and contain the school noise within its boundary. Offering sufficient protection Focus on learning unimpeded by threat The current generation of children deserve an environment where they can focus on learning unimpeded by threat. Schools need robust perimeter solutions that welcome pupils, offer peace of mind to parents, and provide them with sufficient protection against intruders. Ultimately, it's the responsibility of the head teachers to engage in dialogue with knowledgeable security professionals to get the most appropriate and effective security solutions for their school, staff and students.

Protecting retail staff in a new era: live-streaming body cameras
Protecting retail staff in a new era: live-streaming body cameras

This year has been characterised by uncertainty and extraordinary strain, which has fallen heavily on all manner of key workers. Alongside our celebrated healthcare professionals, carers and the emergency services, those working in essential retail have proved themselves to be the backbone of our society during this challenging period. As people try to grasp onto normality and cope with the unexpected changes taking place in every aspect of their lives – including the way they are allowed to shop – it’s no surprise that tensions are now running higher than ever. Retail crime was already on the rise before the pandemic struck, with the British Retail Consortium finding that at least 424 violent or abusive incidents were reported every day last year. The Co-op recently reported its worst week in history in terms of abuse and antisocial behaviour, with 990 incidents of antisocial behaviour and verbal abuse suffered by staff between 20th and 26th July. 990 incidents of antisocial behaviour and verbal abuse suffered by staff between 20th and 26th July To manage the increased risks currently faced by retail employees, businesses must adopt new initiatives to safeguard their staff. Growing numbers of retailers including the Co-op and Asda have equipped their in-store and delivery staff with body worn cameras to enhance safety and provide them with peace of mind, as well as to discourage altercations from taking place at all. Traditional tech Body worn cameras are nothing new and have been used within the law enforcement industry for years. Traditional devices are record-only and can be used to record video evidence able to be drawn upon ‘after the fact’ should it be needed as an objective view of an event and who was involved. These devices can also be used to discourage violent or verbally abusive incidents from occurring in the first place. If a customer is approached by an employee, they are likely to think twice about retaliating if they know their interaction is being recorded. This stance is supported by research from the University of Cambridge that found the use of body worn cameras improves the behaviour of the wearer and those in its vicinity, as both are aware of the fact it can act as an objective ‘digital witness’ to the situation. However, record-only body worn cameras do leave much to be desired. In fact, the same University of Cambridge study found that, in the case of law enforcement, assaults against officers wearing these devices actually increased by 15%. This could be attributed to those being recorded being provoked by the presence of the camera or wanting to destroy any evidence it may hold.  Out with the old, in with the new Live-streaming enabled body worn cameras provide the benefits of record-only devices and more Fortunately, there is a better option. Live-streaming enabled body worn cameras provide the benefits of record-only devices and more. Live-streaming capabilities are able to take ‘after the fact’ evidence one step further and provide the wearer with ‘in the moment’ safety and reassurance. With these devices, if a retail employee is subject to a volatile situation with a customer, they can trigger live video to be streamed back to a central command and control room where security officers will be able to take the most appropriate course of action with heightened and real-time situational awareness. Having access to all of the information they could need instantly will enable security personnel to decide whether to attend the scene and diffuse the situation themselves or to take more drastic action if needed, before any harm has been caused. This capability is especially valuable for lone workers who don’t have access to instant support – such as delivery drivers, in-store or warehouse staff and distribution operators to name a few. The pandemic has also doubled the number of consumers who do their regular grocery shopping online, leading to potential supply and demand issues resulting in unhappy customers.  Live-streaming body worn cameras rely on uninterrupted mobile connectivity to excel, as they are not connected to any physical infrastructure. To minimise the risk of the live video stream buffering or freezing – a real possibility for delivery drivers who can be working anywhere in the country – retailers should look to deploy devices capable of streaming in real-time, with near zero latency footage, even when streaming over poor or constrained networks. To get the most out of their tech, retailers should also look to implement devices that can be multi-use and can be deployed as a body worn camera or a dashcam to record any incidents that may occur whilst driving.    Novel threats   This year brought about a new threat that retailers must protect their staff from While not to the same extent, retail workers have always been subject to a level of potential physical or verbal abuse. However, this year brought about a new threat that retailers must protect their staff from. The COVID-19 pandemic has been the cause of many of the new threats facing employees, but is also a threat in itself. To mitigate this, retailers should look to introduce remote elevated temperature detection cameras in their stores, which analyse body temperature and sound an alarm when somebody’s temperature exceeds a certain threshold – as this could indicate the presence of a potential fever. When deployed on the same cellular network as live-streaming enabled body cameras, these tools can be linked to a central command centre and the alarms viewed remotely from any connected device. This means a network of cameras can be monitored efficiently from a single platform. Ensuring the protection and security of retail workers has come to the fore this year. With the risk of infection in high-footfall locations, such as supermarkets, and the added pressure that comes with monitoring and enforcing safety guidelines, retail staff are having to cope with a plethora of new challenges. Retailers should adopt innovative technologies within their stores and delivery trucks, such as live-streaming enabled body cameras and remote elevated temperature screening solutions, to minimise the threat faced by their employees and provide them with instant support and reassurance should it be required.

Inclusion and diversity in the security industry: ‘One step at a time’
Inclusion and diversity in the security industry: ‘One step at a time’

Historically, concerns about inclusion and diversity have not been widely discussed in the security market. In the last couple of years, however, the Security Industry Association (SIA) and other groups have worked to raise awareness around issues of diversity and inclusion. Specifically, SIA’s Women in Security Forum has focused on the growing role of women in all aspects of security, and SIA’s RISE community has focused on “rising stars” in an industry previously dominated by Baby Boomers. The next generation of security leaders There is a business case to be made for diversity and inclusion, says a report by McKinsey & Company. According to the management consulting company, gender-diverse companies are 24% more likely to outperform less diverse companies, and ethnically diverse companies are 33% more likely to outperform their less diverse counterparts. Furthermore, the “next generation of security leaders” – employees under 30 – are particularly focused on diversity and inclusion. Diversity refers to the traits and characteristics that make people unique A panel discussion at ISC West’s Virtual Event highlighted aspects of inclusion and diversity, starting with a definition of each. Diversity refers to the traits and characteristics that make people unique. On the other hand, inclusion refers to the behaviour and social norms that ensure people feel welcome. “We are all on a journey, and our journey takes different paths,” said Willem Ryan of AlertEnterprise, one of the SIA panelists. “There are opportunities to improve over time. We can all change and increase our ability to have a positive impact.” Industry responsibility The industry has a responsibility to the next generation of industry leaders to address issues of inclusion and diversity. Forbes magazine says that millennials are more engaged at work when they believe their company fosters an inclusive culture. So the question becomes: How do we unify and create opportunities to work with and champion tomorrow’s leaders? SIA is driving change in our industry to achieve that goal. More women are active in SIA than ever before. The SIA Women in Security Forum now has 520 members, said Maureen Carlo of BCD International, the SIA Women in Security Forum Chair and another panelist. Also, more women than ever are chairing SIA committees and serving on the SIA Board of Directors. More women than ever are chairing SIA committees Overcoming unconscious bias Former SIA Chairman Scott Shafer of SMS Advisors, another of the panelists, noted that SIA awarded the Chairman’s Award to the Women in Security Forum in 2019, and to the RISE community steering committee in 2020. “There are lots of ways we are seeing the elevation of women and ethnic groups in the security industry,” said Shafer. One topic of interest is the problem of “unconscious bias,” which can be overcome by looking at something through some else’s lens. Ryan suggested use of the acronym SELF –  Slow Down, Empathise, Learn, and Find commonalities. Ryan recalled the value of being mentored and having someone shepherd him around the industry. “Now I want to give back,” he said. “We need to look at the things we can change in ourselves, in our company, in our communities, and in our industry. Change comes from the bottom and the top.” Increasing representation “It takes all of us to increase representation everywhere,” said Kasia Hanson of Intel Corp., another panelist. “We have in common that we are all human beings. Let’s make sure the next generation all have opportunities.” Diverse companies can attract better talent Moving forward, the panelists urged the industry to get involved and create opportunities because inclusion drives diversity. Diverse companies can attract better talent and attain a competitive advantage. Awareness of unconscious bias, and working to eliminate it, is an important element of change. Despite the progress the security industry is making, change continues to be incremental. As Ruth Bader Ginsburg has said, “Real change, enduring change, happens one step at a time.”